Loading
Blog

CIS Controls v8.1 in OT Environments
How to Build a Strategic Roadmap for IT/OT Cybersecurity Alignment

CIS Controls v8.1 offers a prescriptive path to OT cybersecurity maturity. Learn how to align IT and OT teams under one framework.
Brunette specialist working laptop computer on modern huge digital factory. Industrial specialist typing laptop computer wearing safety hardhat in manufacturing facility. Professional concept.

What Are CIS Controls?

The Center for Internet Security Critical Security Controls (CIS CSC) were developed in coordination with the U.S. DHS, NSA, SANS, and other groups to establish a definitive set of the most critical security controls for cybersecurity.

In June 2024, CIS released version 8.1. While this update maintains the Top 18 structure, it introduces a few new enhancements designed to align with the modern threat landscape and other global standards. Notable updates of CIS Controls v8.1 include:

The CIS Controls Top 18 now contains 153 safeguards. This helps organizations looking to bridge the gap between IT and OT since the framework provides a common language that both sides of the house can fully understand.

What Are the Benefits of CIS Controls v8.1?

Aside from its comprehensive set of critical controls, CIS Controls are unique because of its prescriptive nature across different implementation groups. It includes a set of measurable benchmarks for each control to determine if the organization is at level 1, 2, 3, 4 or 5. This “prescriptive” approach helps organizations accelerate their cybersecurity journey by removing the guesswork. Teams can align with pre-defined implementation groups. We have seen this type of approach result in significant benefits in comparison to the more general guidance frameworks.

The most significant benefit of the recent v8.1 update is the emergence of the Govern function. Governance matters because it’s the critical link that makes technical controls enforceable. By elevating policies, procedures, and documentation to the same level as technical safeguards, CIS Controls v8.1 provides the justification needed for OT-specific maintenance windows, patching cycles, and resource allocation. It transforms security from a series of isolated technical tasks into a managed, repeatable business process.

CIS Controls Mapping to NIST CSF 2.0

The table below outlines the 25 Govern safeguards introduced in CIS Controls v8.1 to build a unified roadmap for an enforceable, documented cybersecurity program.

Here are the highlights of how some CIS Controls map to NIST CSF 2.0:

  • Superset alignment: 7 safeguards exceed NIST CSF 2.0 requirements
  • Equivalent alignment: 3 safeguards directly match NIST CSF 2.0 requirements
  • Subset alignment: 15 safeguards partially align with NIST CSF 2.0 requirements
Control CIS Safeguard Title NIST CSF Compliance Identifier Type of Alignment IG1 IG2 IG3
4 4.1 Establish and Maintain a Vulnerability Management Process PR.PS-01 Subset X X X
4 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure PR.PS-01 Subset X X X
6 6.1 Establish an Access Granting Process GV.RR-04 Subset X X X
6 6.2 Establish an Access Revoking Process GV.RR-04 Subset X X X
6 6.8 Define and Maintain Role-Based Access Control PR.AA.05 Equivalent     X
7 7.1 Establish and Maintain a Vulnerability Management Process ID.RA-01 Superset X X X
7 7.2 Establish and Maintain a Remediation Process ID.RA-08 Superset X X X
7 7.2 Establish and Maintain a Remediation Process ID.IM-02 Superset X X X
14 14.1 Establish and Maintain a Security Awareness Program PR.AT-01 Equivalent X X X
15 15.2 Establish and Maintain a Service Provider Management Policy GV.SC-01 Subset   X X
15 15.2 Establish and Maintain a Service Provider Management Policy DE.CM-06 Superset   X X
15 15.4 Ensure Service Provider Contracts Include Security Requirements GV.SC-02 Subset   X X
15 15.4 Ensure Service Provider Contracts Include Security Requirements GV.SC-05 Subset   X X
15 15.4 Ensure Service Provider Contracts Include Security Requirements GV.SC-08 Subset   X X
15 15.5 Assess Service Providers GV.SC-06 Equivalent     X
15 15.6 Monitor Service Providers GV.SC-07 Superset     X
15 15.6 Monitor Service Providers GV.SC-09 Subset     X
15 15.6 Monitor Service Providers DE.CM-06 Subset     X
16 16.1 Establish and Maintain a Secure Application Development Process PR.PS-06 Superset   X X
17 17.2 Establish and Maintain Contact Information for Reporting Security Incidents RS.CO-02 Subset X X X
17 17.2 Establish and Maintain Contact Information for Reporting Security Incidents RS.CO-03 Subset X X X
17 17.2 Establish and Maintain Contact Information for Reporting Security Incidents RS.CO-04 Subset X X X
17 17.4 Establish and Maintain an Incident Response Process RS.MA-01 Superset   X X

Struggling to determine where your organization falls on the maturity scale? Download our Advancing OT Security Maturity with Managed Services Report to see how managed services can accelerate your journey from IG1 to IG3.

Download Now

What Are the Top-Level CIS Controls?

Control Name Safeguards IG1 IG2 IG3
1 Inventory and Control of Enterprise Assets 5 2 4 5
2 Inventory and Control of Software Assets 7 3 6 7
3 Data Protection 14 6 12 14
4 Secure Configuration of Enterprise Assets and Software 12 7 11 12
5 Account Management 6 4 6 6
6 Access Control Management 8 5 7 8
7 Continuous Vulnerability Management 7 4 7 7
8 Audit Log Management 12 3 11 12
9 Email and Web Browser Protections 7 2 6 7
10 Malware Defenses 7 3 7 7
11 Data Recovery 5 4 5 5
12 Network Infrastructure Management 8 1 7 8
13 Network Monitoring and Defense 11 0 6 11
14 Security Awareness and Skill Training 9 8 9 9
15 Service Provider Management 7 1 4 7
16 Application Software Security 14 0 11 14
17 Incident Response Management 9 8 9 9
18 Penetration Testing 5 0 3 5

As seen, these are a comprehensive collection of controls. Version 8.1 maintains the streamlined 18-control structure established in Version 8.

Version 8.1 continues with the practice of identifying Implementation Groups (IG) 1, 2, and 3. These are intended to be approached in sequence, achieving compliance with IG 1 before moving to IG 2. Crucially, CIS Controls v8.1 does not change the mapping of these IGs—helping ensure that organizations already on the path to IG1 compliance do not have to restart their efforts. Each Implementation Group contains safeguards across the various control areas.

As in all cybersecurity standards, developing a robust asset and network inventory is the base element that enables the rest of security to be effective. This is clear in CIS Controls Top 18 just as it is with NIST CSF.

Controls 1 and 2 require hardware inventory or OS inventory as well as comprehensive software inventory on all assets. As one learns about the safeguards of these controls, the power of a deep asset inventory that extends beyond seeing if a hardware device is on the network becomes obvious.

To summarize IG 1 vs. IG 2 and 3, IG 1 focuses on those elements that can be the initial set of safeguards applied. In v8.1, these are now mapped more precisely to modernized asset classes, which allows software to be tracked as a distinct asset type from the physical devices that host them.

Many of the IG 1 tasks are focused on what we’d call asset management—accurate inventory, accurate vulnerability picture, basic networking protections, knowledge of privileged access, timely backups, and so on. These core elements reflect the importance of visibility deep into the environment and the ability to control access, software, and recovery.

How are CIS Controls Implemented?

To achieve maturity for CIS, it requires more than a passive review of assets. This is particularly challenging in OT and creates challenges that we have addressed within SecureOT Platform.

Rockwell Automation works with clients to adapt the standard and enable a single standard across IT and OT. Because CIS Controls v8.1 now directly aligns with the NIST CSF 2.0 Govern function, using SecureOT Platform allows organizations to satisfy both frameworks simultaneously. We work closely with industrial organizations to establish CIS Controls Top 18 programs and build dynamic compliance and security management processes. It’s important to note that the transition to CIS Controls v8.1 provides stability for these programs. Because the IGs remain unchanged, organizations starting at IG1 can continue their progress without disruption.

To bridge these controls from IT into OT, you need to make several adjustments.

Feasibility of Controls

Many controls are not feasible on embedded industrial devices such as PLCs, controllers, and drives. These include items like anti-virus or application whitelisting. In these cases, CIS Controls v8.1’s focus on “Compensating Controls” and the new Govern function allows managers to document exactly why a control isn’t feasible and what alternative protections are in place to navigate the risk.

Some controls are feasible, but the level of reasonable maturity may differ. These include items such as patching on a bi-weekly or monthly basis which is often not appropriate in operational facilities that cannot be regularly rebooted.

OT Customization

Procedural requirements may need “OT customization,” such as items like incident response or red teaming, which require different procedures due to the sensitivity of OT processes. The introduction of “Documentation” as a formal asset class in v8.1 validates this work. For an OT manager, documenting these customized procedures is now recognized as a core security achievement.

Specific Secure Standards

Specific secure standards often need adjusting. For instance, CIS calls for standard secure configurations for different device types. Those configurations will likely be different for OT devices.

Even though there are several adjustments required, there are significant benefits to using this common standard across OT and IT. This includes:

  • Common reporting and measurement across the organization.
  • Shared understanding and vocabulary on security simplifies training and communication.
  • The “prescriptive” nature can accelerate time to security.
  • Editing a standard has proven much easier than creating from scratch.

The CIS Controls Top 18 really requires what we have come to call OT Systems Management. This practice is similar to IT Security Management, which has been practiced for many years. But in OT, assets are not actively managed for many of the reasons above. Implementing CIS Controls as a standard drives greater security and more robust and reliable operations because systems are managed, updated, and controlled on a regular basis.

Over the past decade, we’ve worked with clients implementing different security standards including NIST CSF, 800-53, NERC CIP, and ISA99. While each has its merits, we have found that CIS Controls v8.1 has emerged as the gold standard for large organizations that seek consistency between IT and OT.

With the release of version 8.1, CIS Controls moved beyond a checklist to become a true management framework that brings IT and OT under one umbrella of governance. This shift is critical for security managers since it provides a roadmap that’s prescriptive for the plant floor and strategically aligned for the boardroom.

By adopting CIS Controls v8.1, organizations no longer have to manage two separate security programs. Instead, they can use a single, unified framework that respects the unique constraints of operational technology while providing the rigorous oversight required by corporate IT. Whether you are starting from scratch at IG1 or scaling toward IG3, the path to a resilient and compliant industrial environment has never been clearer.

Bridge the Gap Between IT and OT

CIS Controls v8.1 provides the roadmap, but knowing your starting point is critical. Take our Cybersecurity Preparedness Assessment to evaluate your current maturity level and identify the specific safeguards needed to secure your industrial environment.

Take the Assessment

Published March 12, 2026

You may also be interested in

Loading
Loading
Loading
Loading